Commit graph

2532 commits

Author SHA1 Message Date
Christian Bläul
f49bbf4c45 Documentation of config options: Improve loglevel
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:29 +02:00
Christian Bläul
c065d45da8 Documentation of config options: Improve db
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:04 +02:00
Sheogorath
9c1665ae5b
Release version 1.5.0 2019-08-15 23:30:37 +02:00
Sheogorath
09e1584800
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:25:30 +02:00
Sheogorath
fce0e18ad0
Add arabian translation
Thanks to our great translators that made it to translate the major
parts of CodiMD into Arabic!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:20:52 +02:00
Sheogorath
c178947402
Disable PDF export due to security issue
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.

I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:54 +02:00
Sheogorath
e574ae7588
Switch mysql library to mysql2
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c07ae7eda1
Fix variable names for docker secrets
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c4053ea7ce
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.

This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.

For Details:

https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515

What is a ReDOS?

A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.

For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Credit:

Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.

Also thanks to the `marked`-team for fixing things already.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:48 +02:00
Sheogorath
57cfbcbd47 Update id.json (POEditor.com) 2019-08-15 23:14:28 +02:00
Sheogorath
ec83605f29
Merge pull request #141 from alangecker/fix/migration-should-return-promise
fix: migration should return promise
2019-08-12 14:40:30 +02:00
chandi
6280e92d10 fix: migration should return promise
Signed-off-by: chandi <git@chandi.it>
2019-08-12 14:13:34 +02:00
Sheogorath
478062b9aa
Merge pull request #140 from SISheogorath/docs/updateIcons
Update badge icons
2019-08-08 10:32:29 +02:00
Sheogorath
1a4a0c41a4 Update de.json (POEditor.com) 2019-08-03 18:16:00 +02:00
Sheogorath
1cc9d2e50e
Update badge icons
I just noticed that shields.io provides some nice new badges including
one explicitly for Matrix and one for Mastodon. Since those are really
our platforms, let's get them into our README. Just a cosmetic change.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-03 17:57:47 +02:00
Sheogorath
7d67566b96
Update yarn.lock 2019-08-01 20:14:48 +02:00
Salim B
5e7715a4e2
Slightly improve docker-linux-server.md
- fix typo
- add link to PhantomJS
- improve formatting

Signed-off-by: Salim B <salim@posteo.de>
2019-08-01 20:11:55 +02:00
Sheogorath
e85f4defbb
Merge pull request #114 from SISheogorath/fix/linuxServerDocs
Fix some minor quirks in the LinuxServer.io docs
2019-08-01 20:07:09 +02:00
Sheogorath
788d8ca933
Fix some minor quirks in the LinuxServer.io docs
The current documents might end up confusing people and are not
completely accessible. This minor fixes should clear up the situation
and add alt texts to all badges, explain the links at the end of the
docs, and list LinuxServer.io in the supported provider section of the
README.

Some reasoning on the change in the listing:
Since we maintain an own container image which is for sure kept updated
on release, this is our first listing, as well as general solutions that
are build on that image, like the K8s integration.

The next listings are integrated provides which allow self-hosting, like
Cloudron and I also consider LinuxServer.io as this kind of providers.
Which try to enable people to run CodiMD on their own hardware or rented
servers in a very easy way, but by using their own images.

As third category I would look at hosted offers, like Heroku, which are
not completely SaaS but far enough away from the self-hostability that
I consider them as an own category. PaaS-based solutions are not as
FOSS-style as we want our setups to be, but of course still supported.

Finally the manual setup. We keep it down here, because we support it,
but don't recommend it in general. It's hard to upgrade and can cause
problems when dependencies are not correctly updated or people don't run
the db migrations.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-01 20:03:07 +02:00
Sheogorath
1ec083a091
Merge pull request #137 from codimd/snyk-fix-90a963f5d1c4d3e15b1c30f372c2f444
[Snyk] Fix for 1 vulnerable dependencies
2019-08-01 19:59:10 +02:00
snyk-test
6f588826e0 fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MERMAID-174698
2019-07-24 05:32:45 +00:00
Sheogorath
1bfed17f8c
Merge pull request #104 from SISheogorath/feature/dnt
Respect DNT header
2019-07-20 12:50:13 +02:00
Sheogorath
2f6e81e4db
Merge pull request #128 from dargmuesli/docker-secrets
DB URL: Secret File Support
2019-07-20 12:49:19 +02:00
Jonas Thelemann
cc78dd0428
Docker Secrets: Add DB URL Support
As the connection string may include a password it should be supported by Docker Secrets.

Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-07-01 19:43:42 +02:00
Sheogorath
118314d8dd
Merge pull request #119 from lhw/patch-1
Add SVG image detection based on file extension
2019-07-01 19:03:18 +02:00
Sheogorath
0d5923d61c
Update sequelize to latest version
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-22 16:29:09 +02:00
Sheogorath
502fae70a4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-22 16:23:24 +02:00
Sheogorath
fd2731042f
Merge pull request #107 from SISheogorath/feature/db-upgrade
Fix sequelize by updating to the latest version
2019-06-22 16:17:11 +02:00
Lennart Weller
f22a563116 Add SVG image detection based on file extension
Add simple SVG image detecetion base on the file extension .svg.
This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG.

Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
2019-06-18 17:13:50 +02:00
Sheogorath
8612740f82 Update sv.json (POEditor.com) 2019-06-16 10:59:48 +02:00
Sheogorath
3d2f5daa0f Update de.json (POEditor.com) 2019-06-16 10:59:46 +02:00
Sheogorath
4b4c6d6168
Merge pull request #111 from CHBMB/ls.io
Add docker image from LinuxServer.io as an install option.
2019-06-13 17:30:07 +02:00
chbmb
04d26637d6 Add docker image from LinuxServer.io as an install option.
As requested by @SISheogorath [here](https://github.com/linuxserver/docker-codimd/issues/4#issue-454332233) and further to discussion about previous PR [here.](https://github.com/codimd/server/pull/110#issuecomment-501214087)

Signed-off-by: Neil Green <chbmb@linuxserver.io>
2019-06-12 11:46:49 +01:00
Sheogorath
1e48b763d6
Merge pull request #106 from SISheogorath/fix/dco-location
Move DCO into docs section
2019-06-11 10:23:30 +02:00
BoHong Li
63c96e7359
fix: upgrade sequelize to latest version to fix CVE
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-06-11 00:41:50 +02:00
Sheogorath
7cdb325e1c
Move DCO into docs section
The DCO currently resides in an own directory creating a pointless
additional click/tab in order to reach end read it. It also just
clutteres the directory structure of the project.

Therefore this patch provides moves the DCO into an own legal section in
the docs directory, which is hopefully a more reasonable place.

This section can also be extended in future in order to host other legal
documents as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-10 17:35:36 +02:00
Sheogorath
02929cd4bf
Merge pull request #103 from SISheogorath/feature/improve-logging
Rework debug logging
2019-06-09 13:47:32 +02:00
Sheogorath
da4665c759
Respect DNT header
Do Not Track (DNT) is an old web standard in order to notify pages that
the user doesn't want to be tracked. Even while a lot of pages either
ignore this header or even worse, use it for tracking purposes, the
orignal intention of this header is good and should be adopted.

This patch implements a respect of the DNT header by no longer including
the optional Google Analytics and disqus integrations when sending a DNT
header. This should reduce outside resource usage and help to stay more
private.

This should later-on extended towards other document content (i.e.
iframe based content).

The reason to not change the CDN handling is that CDNs will be
deprecated with next release and removed in long term.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-08 23:43:50 +02:00
Sheogorath
b5fc6db75d
Rework debug logging
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.

This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-08 21:27:29 +02:00
Sheogorath
6462968e84
Merge pull request #97 from SISheogorath/fix/linting
Fix eslint warnings
2019-06-04 16:09:46 +02:00
Sheogorath
ae32a12930
Merge pull request #93 from ttasovac/master
fixed styling of slides preview
2019-06-04 16:09:26 +02:00
Claudius Coenen
9140ca3c96
Merge pull request #98 from codimd/ccoenen-patch-1
mentioning the node 6 deprecation along with the migration guide
2019-05-31 15:21:57 +02:00
Claudius Coenen
8d576895ea
mentioning the node 6 deprecation along with the migration guide
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-31 15:16:24 +02:00
Sheogorath
51d69d993c
Release version 1.4.0
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 01:08:45 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Sheogorath
ac0bcb1c81
Merge pull request #94 from SISheogorath/fix/mathjax
Fix hidden MathJax output
2019-05-30 19:16:34 +02:00
Sheogorath
6f4841dcd2
Fix hidden MathJax output
In order to have a better experience when linking to headlines based on
their ID, a patch[1] introduced a new CSS construct to add some space in
front of HTML tags with an id field. Therefore they would no longer be
hidden by a visible navbar.

This cause a regression bug by moving the rendered mathjax out of its
visible area. This patch fixes the problem by restricting the previous
change to headlines only.

[1]: commit c9af13cf34

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-30 13:26:24 +02:00
Toma Tasovac
9e7b081bd9 fixed styling of slides preview
Signed-off-by: Toma Tasovac <ttasovac@humanistika.org>
2019-05-30 10:53:08 +02:00
Sheogorath
3eca0a74ae
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-30 00:10:44 +02:00
Sheogorath
e02defd402
Add Discourse link to footer
As we are about to announce the community forum, we should provide a
link to it in the footer. This patch adds Discouse between Riot, GitHub
and Mastodon as platform to follow our progress.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-30 00:02:37 +02:00